Re: [GENERAL] users in Postgresql

From: Peter Eisentraut <e99re41(at)DoCS(dot)UU(dot)SE>
To: gerald(at)interface-business(dot)de
Cc: Bruce Momjian <maillist(at)candle(dot)pha(dot)pa(dot)us>, pgsql-general <pgsql-general(at)postgreSQL(dot)org>, Carlos Vicente Altamirano <altacar(at)redes(dot)unam(dot)mx>, Charles Tassell <ctassell(at)isn(dot)net>
Subject: Re: [GENERAL] users in Postgresql
Date: 1999-11-04 09:26:24
Message-ID: Pine.GSO.4.02A.9911041020160.1524-100000@Hund.DoCS.UU.SE
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general pgsql-hackers

On Thu, 4 Nov 1999 postgres(at)taifun(dot)interface-business(dot)de wrote:

> > CREATE USER sql command updates the file, but an UPDATE on pg_shadow
> > does not.
>
> IMHO, that's a bug:
> It's not forbidden to update or insert into pg_shadow by rule, but if
> I do that I will get inconsistent authentication data.
> Why not revoke INSERT and UPDATE on pg_shadow?

That way the postgres superuser (the one that would ideally be
adding/removing users) can still access it. Access control doesn't apply
to table owners. And I'm not even sure if the CREATE USER command doesn't
depend on the insert privilege existing (vs the create user privilege of
the one that's executing it). It's not all that clear.

> Or better:
> Why not use a trigger on pg_shadow, to handle pg_pwd correctly?
> The trigger code is allways in "create/alter user" command handler.

I was thinking about some sort of internal hook that sees any access to
pg_shadow and redirects it to a file. Don't even have the table anymore.
Sort of like /dev/* devices are handled by the kernel.

I was going about looking into this a little, but since I have never
played with the backend I cannot promise a result in finite time.

-Peter

--
Peter Eisentraut Sernanders vaeg 10:115
peter_e(at)gmx(dot)net 75262 Uppsala
http://yi.org/peter-e/ Sweden

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Peter Eisentraut 1999-11-04 09:40:21 Re: [GENERAL] indexed regex select optimisation missing?
Previous Message Stuart Woolford 1999-11-04 09:13:19 Re: [GENERAL] indexed regex select optimisation missing?

Browse pgsql-hackers by date

  From Date Subject
Next Message Vince Vielhaber 1999-11-04 10:48:02 Re: [HACKERS] PostgreSQL 6.5.3 built, but not released ...
Previous Message Ansley, Michael 1999-11-04 09:12:48 RE: [HACKERS] sort on huge table